As everyone is now aware, Mt Gox has declared bankruptcy. As what appears to be the very last thing they did, Mt Gox accepted my $35 and fulfilled my special Mt Gox Yubikey. Having just arrived in the mail, I can now rest assured that my Mt Gox account, if it still existed, and all those bitcoins, if they weren't already stolen, would be safe and sound!

Unlike regular Yubikeys, Mt Gox ones are specially hardened. They are write-only and protected by a secret 48-bit access code (known only to Mt Gox). So, outside of making an interesting keychain, or framing it as a constant reminder to watch where I put my money, does anyone know of any interesting things I can do with the Yubikey? Reprogramming, because of the access code, seems to be out of the question, but maybe I can use it for some sort of cool non-cryptographically-secure authentication token?

48 bits is not a whole lot. I don't know much about the system is setup, but could you possibly brute-force that?
–
ReidMar 5 '14 at 16:16

I think its a safe bet to assume that access code isn't known by just them anymore too... ;)
–
SteveMar 5 '14 at 18:30

I think you can reprogram it even without knowing the code. The only thing is that you must reset it. I'm talking off the top of my head but I think I read it somewhere in their documentation/FAQ (YubiKey's I mean)
–
izaeraMar 5 '14 at 21:16

It seems I'm wrong. Sorry. [From the Yubikey personalization tool: For security reasons and for avoiding accidental reprogramming, YubiKeys can be protected using configuration protection access code. If the configuration protection access code is set, no one can reprogram the YubiKey unless the correct access code is provided during reprogramming.]
–
izaeraMar 5 '14 at 21:23

4

I'm voting to close this question as off-topic because it is not about cryptography.
–
CodesInChaos♦Jun 20 at 10:26

1 Answer
1

The access codes were recently leaked (by whom, I don't know). My Yubikey is listed and I can confirm that the access codes were necessary and sufficient to reprogram it. You can change or remove the access code as part of reprogramming too. The leak doesn't make the Yubikeys useless in the extremely unlikely event of Gox rising from the flames — no AES keys were leaked, only the reprogramming ("access") codes — but the AES keys are write-only, so consider whether you care about that unlikely event before doing anything you can't undo.

So go grab the tools, reprogram, and rescue your Yubikey from the TiVo Graveyard. I think I'll be using mine in static mode only, with one slot unlocking my password manager and the other unlocking an encrypted partition on a headless machine at boot. If you do something similar, don't forget that (unless similarly headless) you can type a prefix (something-you-know) before hitting the button on the key (something-you-have).